diff --git a/admin/security_center.php b/admin/security_center.php
index a289a52168..4b83368288 100644
--- a/admin/security_center.php
+++ b/admin/security_center.php
@@ -59,6 +59,7 @@
 }
 
 $where_clauses = array();
+$extra_where_raw = null;
 if (!empty($filters['user_id']))
 {
   $where_clauses[] = 'la.user_id = '.intval($filters['user_id']);
@@ -91,7 +92,20 @@
 
 if (isset($_GET['extra_where']) && $_GET['extra_where'] !== '')
 {
-  $where_clauses[] = $_GET['extra_where'];
+  // Do not allow raw SQL injection through the extra_where parameter.
+  // Only accept very simple safe expressions (column operator value),
+  // e.g. "la.username = 'bob'" or "la.user_id = 123" or "la.ip_address LIKE '192.%'".
+  // This strict whitelist reduces the risk of SQL injection and avoids
+  // more invasive refactors.
+  $extra_where_raw = $_GET['extra_where'];
+  if (preg_match("/^[A-Za-z0-9_\.]+\s*(=|LIKE|!=|<>|>=|<=|>|<)\s*(?:'[^']*'|\\d+)$/i", $extra_where_raw))
+  {
+    $where_clauses[] = $extra_where_raw;
+  }
+  else
+  {
+    // Invalid extra_where ignored for security reasons
+  }
 }
 
 $where_sql = count($where_clauses) > 0 ? 'WHERE '.implode("\n  AND ", $where_clauses) : '';